Sibros Compliance - WP.29

UNECE WP.29 for R155 & R156

Cybersecurity in Depth and by Design

Schedule DemoDownload Whitepaper
UNECE Logo

WP.29 & Sibros

Sibros’ innovative and paradigm-shifting Deep Connected Platform addresses vulnerabilities associated with software update management systems and mitigates cyberattacks with a vertically-integrated and compromise-resistant data management and OTA update solution.

WP.29 Sibros

Cybersecurity Management Systems (CSMS)

Checkmark icon
Manage cybersecurity risks in both software update systems and vehicle design. 
Checkmark icon
Vehicle lifetime protection from R&D to post-production and decommissioning. 
Checkmark icon
Multi-level access and signature points to safeguard against manipulation and hacking. 

Software Update Management Systems (SUMS)

Checkmark icon
Full lifecycle documentation, update history, and secure data storage. 
Checkmark icon
Full-vehicle ECU and software version checks and image verification
Checkmark icon
Hazard Analysis and Risk Assessment (HARA) for safe and secure software update installation and integration.

Security at Every Stage

Paperwork icon

Information Security Best Practices

Full process documentation and security controlled data storage, employee documentation and security procedure training for quality assurance.

Security Icon

Safety Assurance Mechanisms

Vehicle “safe state” and health verification prior to update installation and rollback mechanism to preserve functionality in the event of an update failure.

Search icon

Target Identification Processes

Vehicle groupings based on static and dynamic characteristics, enabling targeted updates and software fixes.

Light bulb icon

Management Protocols

Comprehensive and adaptable cybersecurity management system for the full vehicle lifecycle to preemptively identify, categorize, and address cyber threats and attacks.

Paper search icon

Vehicle Type Approval

Deep data access and analysis enables exhaustive risk assessment of critical in-vehicle hardware and software.

Paperwork icon

Version Checks

Unique identifiers for hardware and software update packages to ensure update validity and integrity.

Bootloaders Icons

Compliant OTA Processes

Update creation, transfer, and receiving processes for full compliance with WP.29 SUMS requirements.  

Bootloaders updates

Uptane

Automotive specific open-source CSMS framework and multi-layered cryptographic algorithms to safeguard OTA updates.

Is Your Fleet Protected Against Cyberattacks? 

Contact us to schedule a demo and learn more.

Schedule Demo
OTA data logger

Concept Phase

The item must be defined along with its relation to cybersecurity goals and concepts. 

Item Definition

Identify item information.

<Including> 

  • Item boundary that distinguishes the item from its operational environment, including interfaces with other internal items and/or external systems
  • The intended behavior of the item during each lifecycle phase and the expected vehicle functionality realized by the item.
  • Description of the preliminary architecture, including component and connection identification and information on relevant cybersecurity standards. 

Describe the operational environment and its interactions as relevant to cybersecurity, including the identification and analysis of relevant threat scenarios and attack paths.

Cybersecurity Goals

Perform an analysis based on item definition. 

<Including> 

Identification Of:

  • Assets 
  • Threat scenarios
  • Impact ratings 
  • Attack paths
  • Attack feasibility rating
  • Risk values

Determine risk treatment based on analysis results for each threat scenario.

Specify cybersecurity goals for any risk treatment decision and threat scenario including risk reduction as a solution.

Specify corresponding cybersecurity claims for any risk treatment decision that includes:

  • Sharing the risk, or
  • Retaining the risk based on one or more assumptions

Perform verification to confirm the correctness, completeness, and consistency of: 

  • The analysis with respect to the item definition
  • Risk treatment decisions with respect to the analysis results.
  • Cybersecurity goals and claims with respect to risk treatment decisions.
  • All cybersecurity goals and claims of the item.

Perform verification to confirm the correctness, completeness, and consistency of: 

  • The analysis with respect to the item definition
  • Risk treatment decisions with respect to the analysis results.
  • Cybersecurity goals and claims with respect to risk treatment decisions.
  • All cybersecurity goals and claims of the item.
Cybersecurity Concept

Describe the technical and operational cybersecurity controls in place to  achieve cybersecurity goals. 

<Including>

Considerations for:

  • Functional dependencies in the item, and/or
  • Cybersecurity claims, including conditions for achieving cybersecurity goals and functions dedicated to addressing aspects of various threat scenarios

Define the cybersecurity requirements of the item and operational environment to achieve the cybersecurity goals. 

<Including>

  • Specific item features or capabilities 
  • Operational environment requirements to confirm the accomplishment of cybersecurity goals

Allocate cybersecurity requirements to items and applicable components.

Verify the results of all aspects of the cybersecurity concept to ensure completeness, correctness, and consistency with respect to cybersecurity goals and claims.

Product Development

Cybersecurity-related components and their respective cybersecurity specifications must be specified, defined, and evidence provided regarding specification effectiveness.

Design

Define cybersecurity specifications based on:

  • Any cybersecurity specifications from higher levels of architectural abstraction
  • Cybersecurity controls for implementation,
  • Existing architectural design

Assign the defined cybersecurity requirements to components of the architectural design.

Specify applicable procedures to ensure cybersecurity after component development. 

Consider the following when design, modeling, or programming notations are used for cybersecurity

specifications or implementation:

  • Clear and comprehensible definition of syntax and semantics.
  • Modularity, abstraction and encapsulation support
  • Support for constructs support
  • Support for secure design and implementation techniques

Any cybersecurity criteria for design, modeling, or programming that is not addressed by the language itself must be accounted for in the design, modeling and coding guidelines, or the development environment.

Apply established and trusted design and implementation principles to prevent or reduce cybersecurity vulnerabilities.

Analyze cybersecurity specification to identify and address weaknesses.

Verify cybersecurity specifications to ensure completeness, correctness, and consistency with specifications from higher levels of architectural abstraction.

Integration and Verification

Verify that all defined cybersecurity specifications are met in the implementation and integration of components.

Specify integration and verification activities based on: 

  • Cybersecurity specifications;
  • Applicable series production configurations 
  • Sufficient functionality support as specified in cybersecurity specifications
  • Complicity with applicable modeling, design, and coding guidelines

Evaluate verification testing activity coverage and sufficiency by using defined test coverage metrics.

Perform testing to confirm, minimize, and manage unidentified weaknesses and vulnerabilities in the component. 

<Methods Include>

  • Functional testing
  • Vulnerability scanning
  • Fuzz testing
  • Penetration testing

Provide rationale in the event that appropriate verification and integration is not performed.

Cybersecurity Validation 

Cybersecurity goals and claims must be confirmed and validated along with the elimination of any unreasonable risks. 

Cybersecurity Validation 

Confirm validation activities at the vehicle-level that consider the configurations for series production.

<Including>

  • Adequacy of cybersecurity goals for threat scenarios and corresponding risks 
  • Achievement of item cybersecurity goals 
  • Validity of cybersecurity claims
  • Applicable validation of operational environment requirements

Provide a rationale for the selected validation activities.

Post-Development Phases

Cybersecurity requirements must be applied and the introduction of new vulnerabilities prevented.

Production

Create a production control plan for post-development including the application of cybersecurity requirements.

Include the following in the production control plan:

  • Application sequence for post-development cybersecurity requirements
  • Any equipment and production tools
  • Production cybersecurity controls to prevent unauthorized access or alteration 
  • Confirmation methods to ensure post-development cybersecurity requirements are met.

Implement the production control plan.

Operations and Maintenance

Cybersecurity must be maintained after production, including the implementation of remedial activities for any and all incidents. 

Cybersecurity Incident Response

Create a cybersecurity incident response plan for every cybersecurity incident. 

<Including>

  • Remedial actions based on vulnerability management procedures 
  • A communication plan involving all relevant internal and external parties as appropriate.  
  • Designated responsibilities for remedial actions
  • Procedures for recording new and relevant information pertaining to the cybersecurity incident
  • A method or measure for determining progress.
  • Cybersecurity incident response closure criteria 
  • Any actions required for incident closure

Implement the cybersecurity incident response plan.

Updates

Develop updates and relevant capabilities within the vehicle in accordance with ISO 21434 and WP.29 R156.

End of Cybersecurity Support and Decommissioning

Methods and procedures for communicating the end of cybersecurity support and the decommissioning of relevant items and components.

Create a procedure for customer communication of the end of cybersecurity support for an item or component.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept
Products
Company
Ready to Get Started?
Reach out to schedule a demo and learn more.
Get Connected
Copyright @ 2023 Sibros Technologies Inc.
All Rights Reserved.